Cyber Resilience

Cyber Comms Toolkit General Data Protection Regulations (GDPR)

July 11, 2017 by No Comments

This toolkit has been developed to support your organisation to raise awareness within your communities/stakeholders of the forthcoming data protection reform. Please feel free to use and adapt these resources through your own communication channels.

In order to get your communities interested, engaged, and taking action to make their organisations compliant with GDPR, please consider sustaining communications activity throughout 2017/18. We suggest the following:

  • Incorporate this subject into your Communications Strategies.
  • Regular social media posts – original and retweets.
  • A news release, OpEd, or submit articles to specialist media for your sector.
  • Schedule articles, with sector-specific case studies, in your newsletters, blogs, journals.
  • Consider running a series of awareness raising events for your stakeholders.

BACKGROUND ON GDPR

The increasing use, and abuse, of personal and sensitive information has driven forward a profound reform of data protection law in Europe, shifting the balance of power towards the citizen to whom the personal data belongs and away from organisations that collect, analyse and use such data.

Building on the 1995 EU Data Protection Directive the General Data Protection Regulations (GDPR) will come into effect in May 2018. It will increase privacy for individuals and give regulatory authorities – the Information Commissioner’s Office – greater powers to take action against organisations that breach these new laws.

All organisations that use personal data will need to take action for protecting personal information under the GDPR. Further changes include:

  • People will have increased rights of access to, portability of, and deletion of their personal data.
  • The Regulation gives stronger enforcement powers to regulators; maximum fines for breaches may increase to €10-20 million or 2%-4% of turnover (currently the ICO’s maximum fine is £500k), and it will become mandatory to report significant breaches to the Information Commissioner within 72 hours.
  • Public sector organisations must appoint a Data Protection Officer who reports directly to the highest management level, has a more active role in auditing the organisation for compliance with the Regulation, and is in contact with the regulator.  There has been increasing concern that the pace of change has been insufficient to deal with the growing threat from cyber attacks with potential implications for consumer confidence, public protection and economic growth. Therefore the UK Government will be focusing on the implementation of the GDPR to incentivise and boost cyber risk management across the wider economy rather than implanting additional regulations. For more information see Cyber Security Regulation and Incentives Review, December 2016

 KEY MESSAGES:

  1. The new General Data Protection Regulation (GDPR) is the biggest change to data protection law for a generation. Will your organisation be ready when it comes into effect from 25 May 2018?
  2. All organisations that use personal data will need to take action for protecting personal information under the GDPR.
  3. This regulation will be implemented into UK law regardless of the nature of the UK’s relationship with the European Union.
  4. The regulation will affect staff, systems, information management and governance practices.
  5. The biggest causes of data breaches can be avoided by making sure the basics are in place: educate all employees about data protection, the risk of phishing and other social engineering attacks, keep all operating systems and software up to date, and implement encryption for sensitive data.There are many benefits to people, businesses and organisations with the measures set out in the GDPR including:
  • strengthening citizens’ rights and helping them to have trust and confidence in the services they use.
  • combating international crime by supporting better cross-border cooperation with law enforcement.
  • removing obstacles to cross-border trade and enabling easier expansion of businesses across Europe.

Key changes include:

  • RIGHTS: People will have increased rights of access to, portability of and deletion of their personal data. The definition of ‘personal data’ has also been updated to include location data; IP addresses and online identifiers.
  • ACCOUNTABILITY: Organisations must review what, why and how you process information and ensure the information is up to date.
  • PENALTIES: Maximum fines for breaches may increase to €10-20 million or 2%-4% of turnover, whichever is largest (currently the ICO’s maximum fine is £500k)
  • REPORTING: It will become mandatory to report significant breaches to the Information Commissioner within 72 hours.
  • DATA PROTECTION OFFICERS: Public sector organisations must also appoint a Data Protection Officer who reports directly to the highest level of management. This will be the case for all public authorities and bodies (irrespective of what data they process), and for other organisations that – as a core activity – monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale.

SOCIAL MEDIA TEXT

Please feel free to use the following text or adapt to your particular audiences.

Short URLS:

Suggested posts (less than 140c):

  • With less than a year to go, make sure your organisation will comply with #GDPR https://goo.gl/meKUkF
  • Show your customers that you take the security of their data seriously and get #GDPR ready. Guidance from the ICO at https://goo.gl/z1O7J4
  • #GDPR takes effect May ’18 – did you know @CyberEssentials can demonstrate you’ve taken steps to prevent data breaches? #CyberAwareScotland
  • The ICO’s toolkit for SMEs can help you get your business ready for #GDPR in 2018 be #CyberAwareScotland https://goo.gl/wPUm5b
  • #GDPR Reduce your data risk and get the basics in place: system/software updates, encrypt data, and educate staff #CyberAwareScotland
  • Stronger rules in #GDPR mean people have more control over their data & business benefits from level playing field https://goo.gl/S18bbW
  • The following suggested posts are based on the ICO’s “12 Steps to take now”:
  • Is your board aware of #GDPR and the impact this will have? Be #CyberAwareScotland see ICO’s 12 Steps at https://goo.gl/meKUkF
  • Start your information audit now to get ready for #GDPR in 2018 Be #CyberAwareScotland see ICO’s 12 Steps at https://goo.gl/meKUkF
  • Review your customer privacy notices and make plan in time for #GDPR Be #CyberAwareScotland see ICO’s 12 Steps at https://goo.gl/meKUkF
  • #GDPR gives people greater rights to the personal data that you hold. Be #CyberAwareScotland see ICO’s 12 Steps at https://goo.gl/meKUkF
  • How will your org handle requests for access to/deletion of data #GDPR? Be #CyberAwareScotland see ICO’s 12 Steps at https://goo.gl/meKUkF
  • Update your ‘privacy notices’ now and get ready for #GDPR  Be #CyberAwareScotland see ICO’s 12 Steps at https://goo.gl/meKUkF
  • Review your customers ‘consent’ to use their personal data before #GDPR Be #CyberAwareScotland see ICO’s 12 Steps at https://goo.gl/meKUkF
  • Does your org use young people’s data & do you have guardian consent? Get ready for #GDPR and be #CyberAwareScotland https://goo.gl/meKUkF
  • #GDPR & Data Breaches: Make sure you have measures in place to detect, report & investigate. See ICO’s 12 Steps at https://goo.gl/meKUkF
  • Do you need to recruit/designate a Data Protection Officer ahead of #GDPR? Check rules https://goo.gl/fXdNl7 & https://goo.gl/meKUkF
  • #GDPR and International Orgs: Find out who your info authority will be in 2018, see the ICO’s 12 Steps at https://goo.gl/meKUkF

ARTICLE TEXT (approx. 500 Words) – feel free to adapt this text and include examples from your sector.

General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Now is the time to take action to ensure you know exactly how this might affect your organisation.

The increasing use – and abuse – of personal and sensitive information has driven forward this reform of data protection law in Europe, shifting the balance of power towards the citizen to whom the personal data belongs and away from organisations that collect, analyse and use such data.

Building on the existing Data Protection Act the new General Data Protection Regulation (GDPR) will come into effect on 25 May 2018 and will continue to apply to the UK after Brexit negotiations take place in order to allow businesses to work across the EU.

Every business and organisation that handles and uses personal information will need to consider what action they should take to protecting that vital data under the GDPR.

This evolution in data protection has been developed to bring benefits to people, businesses and organisations. The measures set out in the GDPR will:

  • strengthen citizens’ rights and help them to have trust and confidence in the services they use.
  • combat international crime and support better cross-border cooperation of law enforcement.
  • remove obstacles to cross-border trade, enabling easier expansion of businesses across Europe.

The key changes include:

  • People will have increased rights of access to, portability and deletion of their personal data.
  • Organisations will need to be accountable for what, why and how they process information.
  • Fines for breaches that may increase to €10-20 million or 2%-4% of turnover, whichever is largest (currently the ICO’s maximum fine is £500k).
  • It will become mandatory to report significant breaches to the Information Commissioner within 72 hours.
  • Public sector organisations – and other organisations that monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale – must appoint a Data Protection Officer who reports directly to the highest level of management.

What can your organisation do to be prepared for GDPR?

Getting ready to comply with the GDPR can start with reducing the risk of the data breaches – and reducing that risk doesn’t need to be complicated. The biggest causes of data breaches can be avoided by making sure the basics are in place: keep all operating systems and software up to date, implement encryption for sensitive data, and educate all employees about the risk of phishing and other social engineering attacks.

Your organisation might also consider the Cyber Essentials scheme and the 10 Steps to Cyber Security, both developed by Government to ensure any organisation can protect themselves from common cyber-attacks.

The Information Commissioner’s Office has also developed a useful 12 step guide to help organisations consider their current data protection activities and what needs to be done to comply with the new regulations. They will be developing guidance over the coming months so keep an eye on their website for more information.

TRUSTED RESOURCES

The main sources for trusted information are the Information Commissioner’s Office and the European Commission:

ICO Links:

European Commission:


Tags: , ,

Comments

    Leave a comment

    Your email address will not be published. Required fields are marked *